Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Fixed possible floating point exception with arithmetic operator 'mod'.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 7cf8bdeb6c518974f1281ab90cfd329002d694f514512fb422425de4d380f4a6
User & Date: rolf 2019-07-11 14:07:33
Context
2019-07-16
20:47
Modified test to work as intended on 32-bit also. Fixes [156ce3b130e8]. check-in: 4aa07a679d user: rolf tags: trunk
2019-07-12
22:26
Merged from trunk. check-in: df3a907a20 user: rolf tags: schema
2019-07-11
14:07
Fixed possible floating point exception with arithmetic operator 'mod'. check-in: 7cf8bdeb6c user: rolf tags: trunk
02:02
Fixed possible seg fault with malicious input. check-in: d22f55f9a3 user: rolf tags: trunk
Changes

Changes to generic/domxpath.c.

4459
4460
4461
4462
4463
4464
4465






4466

4467
4468
4469
4470
4471
4472
4473
                rsSetReal (result, dLeft / dRight);
            }
            break;
        case Mod:
            if ((int)dRight == 0) {
                rsSetNaN (result);
            } else {






                rsSetInt  (result, ((int)dLeft) % ((int)dRight));

            }
            break;
        default:        break;
        }
        xpathRSFree (&rightResult);
        xpathRSFree (&leftResult);
        return XPATH_OK;







>
>
>
>
>
>
|
>







4459
4460
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473
4474
4475
4476
4477
4478
4479
4480
                rsSetReal (result, dLeft / dRight);
            }
            break;
        case Mod:
            if ((int)dRight == 0) {
                rsSetNaN (result);
            } else {
                if (dRight < LONG_MIN - 0.1
                    || dRight > LONG_MAX + 0.1
                    || dLeft < LONG_MIN - 0.1
                    || dLeft > LONG_MAX + 0.1) {
                    rsSetNaN (result);
                } else {
                    rsSetInt  (result, ((long)dLeft) % ((long)dRight));
                }
            }
            break;
        default:        break;
        }
        xpathRSFree (&rightResult);
        xpathRSFree (&leftResult);
        return XPATH_OK;

Changes to tests/xpath.test.

1188
1189
1190
1191
1192
1193
1194
























1195
1196
1197
1198
1199
1200
1201
} {}

test xpath-5.58 {afl-fuzz found seg fault in reporting error in invalid expr} {
    set doc [dom createDocument doc]
    catch {$doc selectNodes concat([string repeat 1 250],1,1)}
    $doc delete
} {}

























set doc [dom parse {
<root>
  <asub>asub2</asub>
  <asub>asub3</asub>
  <asub>asub4</asub>
  <bsub>bsub1</bsub>







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
} {}

test xpath-5.58 {afl-fuzz found seg fault in reporting error in invalid expr} {
    set doc [dom createDocument doc]
    catch {$doc selectNodes concat([string repeat 1 250],1,1)}
    $doc delete
} {}

test xpath-5.59 {afl-fuzz found floating point exception in mod calulation} {
    set doc [dom createDocument doc]
    set result [list]
    lappend result [$doc selectNodes "1111111111111 mod -1"]
    lappend result [$doc selectNodes "111111111111111111111111111111111111111 mod -1"]
    $doc delete
    set result
} {0 NaN}

test xpath-5.60 {afl-fuzz found floating point exception in mod calulation} {
    set doc [dom createDocument doc]
    set result [list]
    for {set i 1} {$i < 20} {incr i} {
        for {set j 1} {$j < 20} {incr j} {
            set this [$doc selectNodes "$i mod $j"]
            if {$this != ($i % $j)} {
                lappend result [list $i $j $this [expr "$i % $j"]]
            }
        }
    }
    $doc delete
    set result
} {}

set doc [dom parse {
<root>
  <asub>asub2</asub>
  <asub>asub3</asub>
  <asub>asub4</asub>
  <bsub>bsub1</bsub>